We have been talking a lot about the California Invasion of Privacy Act (CIPA) around here lately.
I wanted to pause and really explain why this statute matters so much to make sure everyone gets it–and takes a few simple steps to avoid potential exposure–before they get hammered.
So first, what is CIPA?
A weird little statute hidden within California’s Penal–that means Criminal–Code that contains a civil right of action including statutory damages of up to $5,000.00 per violation. (By comparison, the TCPA’s damages only range as high as $1,500.00.) And like the TCPA, class action litigation is permitted– so you can be sued for millions, billions or-in the case of Facebook–even trillions.
So what is prohibited under CIPA? A few things.
First, the old-fashioned “classic” CIPA cases– recording telephone calls without consent. Under Cal. Penal Code Section 632 it is illegal to record a phone call with a California consumer without consent. And the California Supreme Court held back in 2006 that this rule applies even if the party recording the call is out of state–so it doesn’t matter if you’re not doing business in California. If you are talking to a California consumer you better be advising before you record them!
But the “classic” CIPA cases are on the wane. Most folks know they have to disclose when recordings are taking place. So there’s not much action there.
Instead, the “new” cases rattling the (CIPA)World all have to do with internet activity and they arise under Section 631 of CIPA. And as with 632, the statute applies to anyone who has a website folks, even if you are not directly targeting California consumers. If they can visit your website, you are potentially at risk.
Section 631 provides–in relevant part–is is illegal to “read, or attempt to read, or to learn the content or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state.” Courts have held that “message, report or communication” incudes internet server session information–so activity taking place to “read or learn” the contents of information shared on the internet may constitute “eavesdropping” and will trigger Section 631.
This has lead to a HUGE spike in “new” CIPA cases arising out of “eavesdropping” claims and come in three varieties: i) web session recording; ii) web session analysis; and iii) chat box usage.
Importantly, in all three settings a third-party vendor must be involved to trigger the statute. Hence, a business is free to record its own web sessions with consumers, analyze those sessions in real time and communicate with a consumer using a chat box on their website. But anytime a third-party is involved facilitating those activities there is a risk of an eavesdropping CIPA claim.
Web session recording: Many websites will use third-party to capture web session details to confirm, for instance, that a consumer has provided consent to be contacted–or other forms of consent–while on a website. Ironically, the use of these platforms–such as Jornaya and Active Prospect–is often done to shield website users from liability under other statutes (such as the TCPA.) But they may create liability under CIPA. Notably, however, this flavor of CIPA case is the weakest because the CIPA prevents real-time reading of communications, not recording of communications. So it remains to be seen how far these cases will go–although Plaintiffs have earned a handful of victories here.
Web session analytics: A second–and more dangerous–breed of CIPA cases involve the use of third-party web session analytics technologies. Many website operators will turn to third-parties who provide software that provide analytics regarding consumer experience on their website. This can help website operators to learn where a consumer may be struggling to navigate the website, or which displays or formats are most appealing to customers. Despite the fact that this technology might be used solely to enhance a consumer’s experience on a website, the use of this technology without consent may violate CIPA because a third-party is involved in analyzing and read information sent back and forth between consumers and the website in real time.
Chat boxes: Perhaps the most dangerous type of CIPA case–and perhaps the lest obvious–is the chatbox setting. Many companies will use a third-party vendor that supplies a chatbox to permit communication between consumers and the website operator. But if the consumer is not informed that a third-party may be “listening in” to these communications–the vendor almost always has access to the text of communications in real time and may even be serving as a proxy communication channel for the website operator–the use of these chat boxes may also violate CIPA.
As noted above, there are a HUGE number of new filings under CIPA and these lawsuits are NOT limited to companies operating within California. If California consumers can use your website you may be at risk.
The good news is that there are some fairly simple things you can do to assure you are protected from CIPA violations. Assuring consumers accept disclosures reflecting the use of web session recording and analytics software BEFORE any recording begins is critical. And chat boxes should ALWAYS disclose that third-parties may be operating the feature and that information may be shared with these individuals in real time.